Digital global world map showing ransomware attack

The Evolution of Ransomware: Four Predictions to Shape Your Security Strategy

With ransomware on a trajectory to inflict more economic damage in 2021, it’s clear that encrypting and exfiltrating data is a big business. Cybercriminals proved throughout the pandemic that they will go after the most resource-constrained segments of our societal infrastructure to line their wallet.

Take their battering of the healthcare industry, for instance, that not only had to navigate the frontlines of a deadly pandemic but the never-ending cybersecurity threats that imperiled the lives of patients around the world. Or their shift to tormenting education institutions adapting to new online learning platforms, like the attack that forced the University of California, San Francisco to fork over $1.14 million to hackers who encrypted and threatened to publish sensitive data stolen from the institution’s School of Medicine.

With vulnerable businesses willing to hand over large payouts (the average ransom payment increased by more than 100 percent this year), it’s hardly a surprise then that the number of attacks has jumped 350 percent since 2018. Ransomwares like Ryuk, WastedLocker, and REvil are proving to be ruthless, well-funded, and willing to target anyone, including Covid-19 vaccine manufacturers, local governments, and schools, to get their payday.

With that said, here are four ways criminals will innovate in the ransomware landscape this year and how even those who can’t afford a Security Operations Center can take immediate actions to protect themselves from attack.

1. Cybercriminals will continue to shift from single machine targets to lateral movement

Ransomware has proved to be incredibly successful in the past year. Attacks nowadays are much like the regular intrusion operations that we’ve seen for decades where hackers gain entry into an organization through a phishing attack or by exploiting a known or unknown vulnerability. However, it’s what they do once they gain access that has shifted significantly in recent years. Instead of focusing on single machine targets, they spread laterally through entire networks. They hunt high privilege credentials, exfiltrate information and then deploy ransomware to lock up as many machines as possible.

On the criminal side, it has been one of their most significant innovations. It allows them to inflict more damage and reap greater rewards as they infiltrate entire businesses rather than just one victim. And as hackers’ consciences dwindle as they grow more power-hungry, we expect the economics of this to continue to shift throughout this year. They will continue to exfiltrate as much data as possible to mine for IP or to sell on the dark web, and then even once everything is fully leveraged, they will still encrypt for ransom.

Indeed, in the middle of this historic health crisis, ransomware has become its epidemic impacting businesses of all sizes, not just big game companies like Garmin. Even smaller organizations are being ruthlessly targeted, especially those that deploy critical services in healthcare, manufacturing, local government, and public schools. And as mentioned prior, the ransom’s size has risen substantially, with the average payout for those infected by Maze ransomware reaching almost $2.5 million and Ryuk nearly $1.5 million. These criminals understand the financial impact of downtime on a business and therefore know that they can force organizations’ hands into making an immediate payment.

2. More extortion (even without encryption)

Worryingly, ransomware will no longer be the only problem in 2021, as the rise of extortion will involve threat actors who exploit access into networks, install highly persistent malware, target backups, steal data and ultimately, threaten to expose the compromise. While extortion wasn’t a major threat until the end of 2019, when ransomware group Maze (who announced their retirement last November) started using it as a tactic, extortion demands rose exponentially in 2020.

In fact, according to BBR Services, the in-house breach response team of insurance company Beazley, the number of cyber-extortion demands being paid doubled year-over-year. Now, due to its substantial return on investment, the number of cybercrime groups putting their foot in the door is multiplying, including progressive groups like Fin7 that have traditionally only targeted POS systems and credit cards.

While government agencies and cybersecurity experts regularly advise victims not to meet extortion demands by paying the ransom, the reality is, many feel it’s the quickest and easiest way to restore their network and protect their business from long-term damage. With so much on the line, it’s also possible that we start seeing extortion without encryption in the near-term.

3. Human-operated ransomware attacks take center stage

As well as high ROI, another reason why ransomware attacks are rising is because of an increase in so-called human-operated ransomware. This refers to gangs that don’t just rely on malware and opportunistic infections but also bring advanced network penetration and other skills to the top of their toolboxes. So, instead of only delivering malware through downloaders, the attacker gains control over the propagation of the encryption and infiltration and can keep trying to deliver it until they’re successful.

Many of these operations also appear to focus more on big-game hunting, which means they try to take down larger targets that eventually yield larger payouts. My company investigated several incidents in 2020 where cybercriminals attempted to deliver Ryuk and Egregor ransomware to organizations in the healthcare and financial markets. In the Ryuk case, the attackers sent the ransomware four times in four hours while they waited for remote workers to connect to the VPN, while in the Egregor incident, they attempted to do so on three separate occasions. In addition to this, we also investigated similar attack chains that utilized the network for proxy attacks and resource utilization in the cases where there was no IP.

We will see these types of incidents more regularly, and we will see attackers change the ransomware they try to deliver and the tools they use until they succeed, as was the cas in our Egregor investigation. And the threat of detection won’t scare them away, either.

4. Attacks will transition from mass-phishing to spear-phishing

Targeted phishing or Spear-phishing is one of the attackers’ main tools to compromise endpoints and gain a foothold in the enterprise network. The attacker utilizes a specially crafted email message that lures users to perform an action that will result in malware infection, credentials theft, or both. It’s often the first step that enables advanced persistent threats (APTs) and targeted attacks. And all signs are pointing to increased deployment.

In fact, according to recent data from Capgemini Research Institute, spear-phishing alone has already increased by 67% since the beginning of lockdown. Even the FBI issued a warning in July about an increase in these types of attacks targeting multiple industry sectors, with employee endpoints becoming the path of least resistance into a businesses’ networks.

In December, for example, a campaign was uncovered that was targeting 200 million Microsoft Office 365 users in several key vertical markets, including financial services, healthcare, manufacturing, and utility providers. The attack was incredibly deceiving because it deployed an exact domain spoofing technique, which occurs when an email is sent from a fraudulent domain that matches the spoofed brand’s domain. This means even savvy users who check sender addresses to ensure an email is legitimate were likely fooled.

Growing both more sophisticated and realistic, we expect spear-phishing campaigns to continue to wreak havoc going forward.

Protecting your endpoints from ransomware at all costs

The reality is, for as long as businesses leave themselves vulnerable, cybercriminals will jump at every chance to extort hefty payouts from their targets. And with millions still committed to working from home for the foreseeable future (and maybe even permanently), attackers will continue to leverage VPN and RDP vulnerabilities and credentials to infiltrate systems.

Yet, for many reasons, whether it be restrained budgets or an ignorance of the damage that could befall them if they’re hit, many organizations are still without effective cybersecurity protocols. For organizations faced with highly sophisticated and targeted attacks from well-resourced cybercrime groups like Evil Corp, standard AV and EDR platforms are of little use. Yes, siloed backups can provide mitigation in case of a successful attack, but targeted ransomware like WastedLocker usually aim to knock out backups as a key attack priority.

It’s therefore vital that C-Suites prioritize a proactive cyber defense that adopts a Zero Trust posture and reduces the attack surface. Because it’s only through these methods that corporate networks can protect themselves from the evolving threats that face them.